Attack stories

Real threats we caught — and the noise we don't cry wolf about.

Every story below is a real-shape incident from a firewall ThisFirewall watches, anonymised. The hard part of security analytics isn't finding alerts — it's turning thousands of them into the few that matter, and confidently dismissing the rest. Here's both.

Caught = a real threat surfaced and actioned.   Correctly ignored = a plausible alert ThisFirewall proved benign, so your team never chased it.
Caught · CriticalC2 / beaconing

A quiet workstation was beaconing to St Kitts every two minutes.

A host behind an edge firewall made a near-perfect 120-second outbound connection to a freshly-allocated Caribbean IP — the heartbeat of command-and-control. The firewall allowed it. ThisFirewall resolved the owner, correlated four signals into one timeline, and raised a single critical story instead of four orphan alerts.
ioc_matchdst on GreenSnow threat feed
c2_beaconing120s ± 5s, 99% regularity
enrichowner = new St Kitts ASN
correlate4 signals → 1 story, score 95
Action Block the /21 outbound + put EDR on the host. One click to the ticket.
Correctly ignoredC2 / beaconing

An identical beacon — that turned out to be a video game.

A phone on the guest VLAN beaconed to a single IP every 120 seconds: the same shape as the St Kitts C2. But ThisFirewall resolved the destination to Jagex Ltd — the makers of RuneScape — and recognised gaming infrastructure. It auto-downgraded the alert to low instead of paging anyone.
c2_beaconing120s interval, 99% regularity
ip-identityowner = JAGEX-AS (gaming)
gate 4devery target = gaming → downgrade
verdictbenign · auto-low · audited
Outcome No page, no ticket, no analyst time. The signal stays visible — just not screaming.
Caught · HighRecon / scanning

A German bulletproof host was hammering the VPN portals.

A /24 on a known bulletproof-hosting ASN opened 11,000+ connections to the SSL-VPN portals on two firewalls — every one reset, zero successful logins in 30 days. ThisFirewall flagged the IoC match and the scan pattern, and confirmed no auth ever succeeded, so it surfaced the right action: block, don't panic.
ioc_matchSpamhaus DROP /24
scan11k conns → SSL-VPN :10443
auth check0 tunnels / 0 logins, 30d
enrichowner = DE bulletproof ASN
Action Block the DROP ranges inbound; geo-restrict SSL-VPN. Threat-feed connector makes it permanent.
Correctly ignoredAccount takeover

A "credential-stuffing takeover" that was just one user, two offices.

66 failed VPN logins from the Netherlands plus a successful login looked like a textbook account takeover — until ThisFirewall noticed the fails and the success were on different firewalls. The foreign spray hit office A; the real user logged in normally at office B. No overlap, no compromise.
sslvpn_brute66 NL fails + 1 success
correlatefails ∩ success devices = 0
ruleATO needs device overlap
verdictde-escalated critical → medium
Outcome No 3am call-out. The fix is permanent — the detector now requires the overlap before it cries ATO.
Caught · CriticalExfiltration

A backup service started shipping data to a country it never had before.

ThisFirewall learns each application's normal destination countries. When a backup service suddenly pushed over a gigabyte to a destination it had never used in 30 days, the drift — weighted by volume and the destination's reputation — escalated immediately. Normal-looking traffic, abnormal destination.
baselineapp's normal = 3 countries
driftnew country + 1.2GB out
reputationdst ASN flagged
scoredrift × volume × rep → high
Action Investigate the host + service account; confirm whether the destination is sanctioned. Pivot to flows in one click.
Correctly ignoredUEBA / identity

The "riskiest user on the network" was a VPN interface.

User-behaviour analytics flagged an account with an 18-million-sample, multi-gigabyte baseline as a wild anomaly. It wasn't a person — it was dialup1, an IPsec dial-up interface the firewall reports as a pseudo-user. ThisFirewall's identity classifier recognised the non-human pattern and excluded it, keeping the user-risk board honest.
ueba18.5M samples, 3GB stddev
classifieriface pseudo-account
actionexcluded from user baselines
verdictnot a user · not a threat
Outcome The real users stay in focus. Interfaces, IP literals and machine accounts never masquerade as people.
Caught · CriticalVulnerability

A firewall running firmware that's being exploited in the wild.

ThisFirewall cross-references each device's running firmware against vendor advisories and the CISA Known-Exploited-Vulnerabilities catalog. When a device's exact version fell inside the affected range of an actively-exploited CVE, it escalated to critical — earned, not assumed: a product mention alone is only flagged "version unconfirmed".
firmwarerunning version captured
psirt × kevin affected range + KEV
matchversion_range = confirmed
verdictcritical · patch now
Action Prioritise this firmware upgrade above all others — it's a known, exploited, drop-everything patch.
Caught · HighLateral movement

One internal host quietly knocking on 400 ports a minute.

Buried in the denied-traffic noise that most tools ignore, a single internal host was probing hundreds of ports across the network in under a minute — the signature of lateral reconnaissance after a foothold. ThisFirewall keeps internal denied spikes as signal (not perimeter noise) and surfaced it.
denied_spike412 ports / 60s, one src
directioninternal → internal
contextkept as signal, not gated
verdictlateral recon · investigate host
Action Isolate and inspect the source host — internal port-sweeps rarely have a benign explanation.

Want to see your own stories?

Point one firewall at ThisFirewall and we'll show you the real threats hiding in your traffic — and prove how little noise we make doing it.

Request a demo →